Security system and method for protecting a vehicle electronic system

ABSTRACT

Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a Continuation of U.S. application Ser. No.17/408,527, filed Aug. 23, 2021, which is a Continuation of U.S.application Ser. No. 16/702,617, filed Dec. 4, 2019 (issued as U.S. Pat.No. 11,120,149), which is Continuation of U.S. application Ser. No.15/924,223, filed Mar. 18, 2018 (issued as U.S. Pat. No. 10,534,922),which is Continuation of U.S. application Ser. No. 15/704,018, filedSep. 14, 2017 (issue as U.S. Pat. No. 9,965,636), which is aContinuation of U.S. application Ser. No. 14/376,827, filed Aug. 5,2014, and issued as U.S. Pat. No. 9,881,165 on Jan. 30, 2018, which is aU.S. national phase of International Application No. PCT/IL2013/050290,filed Mar. 28, 2013, which claims priority from U.S. ProvisionalApplication No. 61/617,188 filed Mar. 29, 2012, which are all herebyincorporated herein in their entirety including all tables, figures, andclaims.

TECHNICAL FIELD

The present invention relates to security systems and methods ingeneral, and in particular to protecting a vehicle's electronic systemor industrial control systems from cyber threats.

DEFINITIONS AND BACKGROUND ART Definitions, Terms, Elements ElectronicControl Unit

The term “Electronic Control Unit” (ECU) denotes herein any electronicsystem within a vehicle with processing capabilities (e.g. a radiosystem is an ECU while a wiper controlled by a relay is not). Anelectronic control unit is a type of electronic component within avehicle electronic system.

Some ECUs include an external communication interface, i.e. an interfaceto communicate with components outside the vehicle's electronic systemincluding outside the vehicle itself. ECU also stands for “EngineControl Unit” which is a special case of an Electronic Control Unit.

Bus

A bus (also referred to as communications bus) is a shared wired orwireless communication channel over which different components transferdata from one to another.

Controller Area Network Bus

Controller Area Network (CAN or CAN bus) is a vehicle bus standarddesigned to allow electronic systems to communicate with each otherwithin a vehicle without a host computer (no master required on thebus). ECUs in a vehicle usually communicate by accessing a CAN bus. CANbus is also used in systems that are not a vehicle, such as IndustrialControl Systems, and the invention encompasses uses of CAN bus or anysimilar bus in any system. For simplifying the description, mostexamples will refer to CAN bus and a vehicle.

Filter Element

Filter element denotes an element with two interfaces that uponreceiving a message either discards it, changes it or passes itaccording to various conditions e.g. message ID value. The filterelement is the part of the security system of the invention which is incharge of the logic of the filtering, e.g. classifying, analyzing andacting upon the messages received. The filter element can be either ahardware module, a software module, or a hardware and software module.The filter element may contain an additional logic module for supportingmore actions, such as generating messages itself, maintaining an innerstate, or any other action.

Proxy Element

The term proxy element as referred to herein denotes an element with atleast one communication interface that holds the current state accordingto past communication. The proxy element can send messages to itsinterface(s) according to its current state, the current input (e.g. amessage) and the time (e.g. an independent process that sends keep-alivemessages periodically). This element is usually used to allow twoparties to communicate with each other indirectly.

Attack Vectors

An attack vector is a path or means by which an attacker can gain accessto a computerized device in order to deliver a payload which will causea malicious outcome. An automobile has numerous attack vectors,including supply chain, physical access to the automotive communicationbus, physically replacing one of the vehicle's ECUs, using one of theECUs' standard connections to the external world etc.

The disclosure assumes that most of the threats originate from ECU'sconnections to the external world. The disclosure assumes each of theECUs, except the suggested security system (or device), is potentiallyvulnerable to attacks that might execute malicious code on it and maygain control over it. The attack on each ECU may be achieved using anyof its data connections (physical or wireless).

Security System

Security system denotes a system (that may be implemented also as adevice) for protecting an electronic component or bus within a vehicleelectronic system or other industrial control system, embodiments ofwhich are described in this disclosure. In some embodiments the securitysystem is a stand-alone system as described in the STAND-ALONE SYSTEMand the GATEWAY SYSTEM sections. In some embodiments the security systemis integrated inside another system as described in the INTEGRATEDSYSTEM section. The security system can also be denoted by“communication filter/proxy”.

BACKGROUND Hacking Threat

Automobiles are becoming more sophisticated and increasingly usecomputerized technology (ECU—electronic control unit) to controlcritical functions and components such as brakes and airbagsfunctionality. While the computerized technology enhances theperformance of the vehicle, compromising the operation of one of thesesafety-critical ECUs may cause severe damage to the vehicle, itspassengers and potentially even the surroundings if the vehicle isinvolved in an accident with other vehicle(s) or pedestrians.

These ECUs are usually connected via a non-secure manner such as throughCAN bus. Taking control of the vehicle's communication bus can result incompromising the safety critical ECUs (see “Experimental SecurityAnalysis of a Modern Automobile” by KOSCHER et al., 2010 IEEE Symposiumon Security and Privacy.

Some of the ECUs which are connected to the vehicle's communication bushave external connections, such as the telematics computer and theinfotainment system. It is possible to compromise one of these ECUsusing a cyber-attack. The compromised ECU serves as an entry point todeploy the aforementioned attack, see “Comprehensive ExperimentalAnalyses of Automotive Attack Surfaces”, Checkoway et al., USENIXSecurity, Aug. 10-12, 2011.

FIG. 1 and FIG. 2 present a simple vehicle's communication network ofthe art consisting of a single bus.

FIG. 1 shows a vehicle electronic system 101 comprising a plurality ofECU's 75 connected to a vehicle communication bus 105. The ECU's 75communicate with each other over the communication bus 105. A vehicleelectronic system 101 may contain multiple communication buses 105, eachconnected to one or more ECU's 75.

FIG. 2 displays a more detailed view of a vehicle electronic system 101comprising a plurality of ECU's with external connections 104, safetycritical ECU's 100 and other ECU's 106 (without external connection andnon-safety critical).

ECU's with external connections 104 include (but are not limited to)telematics 102, infotainment system 112, Tire Pressure Monitoring System(TPMS) 113, vehicle to vehicle (V2V) or vehicle to infrastructure (V2I)communication ECU 114 and any combination of ECUs with an externalconnection not specifically mentioned 109.

Safety critical ECU's 100 include (but are not limited to) the enginecontrol unit 108, brake control module (ABS/ESC etc.) 115, airbagcontrol unit (ACU) 116, transmission control unit (TCU) 117, and anycombination of safety critical ECUs not specifically mentioned 110.

Other ECU's 106 denote the set of ECUs that do not have an externalconnection and are not safety critical, which include the conveniencecontrol unit (CCU) 118 and any combination of ECUs which fall under thiscategory but are not specifically mentioned 111. All the ECUs 75communicate using the same shared communication bus 105. There is anexternal connection to the electronic system 101 using the telematicsECU 102. The telematics ECU 102 communicates using the illustratedwireless connection 202 with a wireless transceiver 201.

A vehicle electronic system 101 can be attacked where an externalcommunication source (transceiver) 201 establishes a communication line202 to an ECU, in this example the Telematics ECU 102.

Vehicle theft using CAN bus manipulation becomes more and more popular.

Another financial threat that worries OEMs and Tier-1 suppliers isunauthorized ECU 75 replacement. The owner of a vehicle may replace anexisting ECU 75 with an unauthentic/unoriginal one, for several reasons:

The ECU 75 needed to be replaced for maintenance reasons and theunauthorized replacement is cheaper (the vehicle owner may or may not beaware that the ECU 75 is not authentic); or

The replacement gives the vehicle more capabilities similarly to chiptuning (e.g. remove limitations from the engine giving morehorsepower—although it is not in the engine's specification making itmore prone to malfunction and/or making it unsafe).

The damage to the OEMs and Tier-1 suppliers is both because theiroriginal equipment isn't bought, and because the unauthorizedreplacement might damage the vehicle which is still under warranty whichthey have to cover.

Vehicle's Communication Bus

A vehicle's communication bus 105 is an internal communication networkthat interconnects components inside a vehicle. Examples of protocolsinclude CAN, Local Interconnect Network (LIN), FlexRay, Vehicle AreaNetwork (VAN) and others.

FIG. 1 and FIG. 2 present a simple vehicle's electronic system of theart consisting of a single bus.

FIG. 3 and FIG. 4 present a vehicle's electronic system of the artconsisting of several buses 105 or bus segments 105. Each bus segment105 may consist of a different type of communication protocol or of thesame communication protocol but possibly with a different configuration.

FIG. 3 illustrates an example of a vehicle's internal electronic system,comprising of several ECUs 102, 112 and 75 connected to a slowcommunication bus 301 and several ECUs 117, 116, 115, 113, 108 and 75connected to a fast communication bus 305. A bridge or a gateway 302connects the two buses 301 and 305.

FIG. 4 is a more general example of the vehicle's internal electronicsystem 101 illustrated in FIG. 3 , where three communication busses 105are connected by a gateway or bridge 302. Each communication bus 105 hasa set of ECUs 75 connected to it.

CAN Bus Gateway/Bridge

A gateway or bridge 302 connects several bus segments 105 and allowsmessages to pass between them. A bridge 302 is described, for example,in U.S. Pat. No. 6,292,862 entitled “BRIDGE MODULE”. A gateway 302 isdescribed, for example, in US Patent Application No. 2009/0198856,entitled “GATEWAY FOR DATA BUS SYSTEM”.

Gateways and bridges 302 are designed to transfer messages between bussegments 105 in a reliable manner but are not designed from acyber-security perspective. One perspective of cyber-security-directeddesign, as opposed to reliability-directed design, is message filtering.Usually a bridge or a gateway 302 will not discard messages out of theconcern that these messages will be needed and their absence will causeharm. Some gateway 302 designs exhibit monitoring abilities of selectedmessages such the one described in US Patent Application No.2009/0198856. When monitoring the communications, selected messages aresent to a monitoring interface (described below). The selectivemonitoring is often referred to as filtering; however this type offiltering does not interfere with the original communication.

CAN Bus Monitoring

A monitor is a device delivering messages being sent on a bus 105 (ortheir properties) to a diagnostic device. A monitor is either astandalone device or a module/part in another device such as a gateway302. A standalone monitor is described in US Patent Application No.2006/0182040, entitled “DEVICE AND METHOD FOR DIAGNOSIS ONMULTI-CHANNEL-CAN-APPLICATION”. Some of these monitors selectivelymonitor messages but do not intervene with the communication on the bus105.

Bus Encryption

Encryption is a common method to address authentication problems.Encryption methods for CAN bus 105 are described in US PatentApplication No. 2011/0093639, entitled “SECURE COMMUNICATIONS BETWEENAND VERIFICATION OF AUTHORIZED CAN DEVICES” and US Patent ApplicationNo. 2009/0169007, entitled “CONTROL AREA NETWORK DATA ENCRYPTION SYSTEMAND METHOD”.

While encryption can be the basis for authentication, from a systemperspective it is not a viable solution for the automotive environment.The automotive environment consists of many vendors and devices. Thesedevices are usually simple and have little processing power.

For an effective encryption scheme, either a key exchange or specificpreloaded keys are required. These are quite complicated processes giventhe limitations of the automotive industry and the devices describedabove.

The CAN bus 105 is usually quite slow and encryption demands additionalbandwidth which may slow down the communication even further, and couldimpact overall system performance.

Firewall

FIG. 5 is a schematic drawing of a Firewall integration of the art. Afirewall is a device, or set of devices, designed to permit or denynetwork transmissions based upon a set of rules and is frequently usedto protect networks from unauthorized access while permitting legitimatecommunications to pass.

FIG. 5 illustrates two networks A and B 501 separated by a firewall 503.Each network 501 has at least one computer 500 connected to it.

A firewall 503 is usually designed for Internet Protocol (IP)-basednetworks 501 and uses the IP and Transmission Control Protocol (TCP)characteristics of the communication. Currently, there are no firewalls503 intended for CAN bus 105. CAN messages differ from IP messages inmany aspects such as size, headers, content etc.

The assumptions of IT firewall 503 designers differ from the assumptionsrequired in designing a protection for a safety critical system. A falsepositive or a false negative identification of a message in the IT arenausually does not have a direct physical impact (unlike the industrialcontrol systems (ICS) arena where computers control physical processessuch as temperature, pressure, engines etc.). An automotive involveshuman lives and ECUs 75 directly influence the automobile'sfunctionality; therefore a traditional firewall 503 is not applicable inthis case.

Firewall 503 implementation for a native CAN BUS communication bus 105does not exist. In general, Industrial Control Systems (ICS) securitysolutions lack filters and firewalls 503 and usually exhibit a diode(one way communication) and network separation solution. These solutionsare not viable for an automotive since an automotive requires two-waycommunications.

SUMMARY OF INVENTION

It is an object of the present invention to provide a security system.

It is another object of the present invention to provide a securitysystem to protect an electronic system against malicious messages.

It is a further object of the present invention to provide a securitysystem to protect an electronic system of a vehicle against maliciousmessages.

It is yet another object of the present invention to provide a securitysystem to protect an electronic system of any transportation meansagainst malicious messages.

It is yet a further object of the present invention to provide asecurity system to protect an industrial control system againstmalicious messages.

It is yet another object of the present invention to provide a securitysystem to protect any electronic system comprising a CAN Bus againstmalicious messages.

The present invention relates to a security system by whichcomputer-based equipment, information and services are protected fromunintended or unauthorized access, change, malfunction or destruction.

The present invention thus relates to a security system for protecting avehicle electronic system from malicious messages, comprising:

-   -   (i) one or more message receiving units, each message receiving        unit connected to one or more communication buses via one or        more ports, for receiving all messages sent from a source        communication bus to a destination communication bus, prior to        their arrival to said destination bus;    -   (ii) one or more message classification units which receive        messages from the one or more message receiving units and        classify them according to the port upon which the message was        received, and according to at least one message property;    -   (iii) one or more message analyzer units which analyze a message        according to its classification from the one or more message        classification units and decide whether to transfer the message        to the appropriate transmission unit as is, block the message or        perform at least one of the following actions: (1) transfer a        modified version of the message to the appropriate transmission        unit; (2) limit the rate that such messages can be delivered to        the appropriate transmission unit to predetermined value per        time unit; (3) add a signature to the message and transfer it to        the appropriate transmission unit; (4) verify that the message        has arrived with a valid signature as a condition to transfer to        its appropriate transmission unit; or (5) transfer the message        to the appropriate transmission unit only after performing an        authentication procedure; and    -   (iv) one or more message transmission units which receive from        the one or more message analyzer units messages to be        transmitted to a destination bus, and transmit said messages to        the destination bus.

In some embodiments, the vehicle is a car, a truck, a motorcycle, atrain, a tank, an airplane, a missile, a spaceship, a rocket or a robot.

In some embodiments, the malicious messages are valid messages that aresent in high volume in order to saturate a system resource and make itunavailable or slow to respond to legitimate messages.

In some embodiments, the source communication bus and the destinationcommunication bus are the same communication bus.

In some embodiments, the system comprises at least two bus interfacesand can filter messages in each direction, from any communication bus toany communication bus.

In some embodiments, the one or more message analyzer units and the oneor more message classification units are replaced by a proxy.

In some embodiments, the at least one message property comprises messageID, a message data field, or the message length.

In some embodiments, the at least one bus is a CAN BUS.

In some embodiments, the modified version of the message to itsdestination bus is an encrypted message or a message with an addition ofa signature. Alternatively, a modified message can be both encrypted andwith a signature.

In some embodiments, the message analyzer unit applies more than onerule on a received message.

In some embodiments, the system activities are logged for statisticspurposes.

In some embodiments, the system is integrated with an ECU or astand-alone system coupled to at least one ECU or a stand-alone systemnot coupled to any ECU.

In some embodiments, the security system is used for preventing vehicletheft, chip tuning or any unauthorized intervention in the vehicleoperation.

In some embodiments, a plurality of ECU's with external connections areprotected by said security system.

In some embodiments, all ECU's with external connections are protectedby said security system.

In some embodiments, at least one security system is placed on thecommunication path between at least one ECU with an external connectionand at least one safety critical ECU.

In some embodiments, a security system is placed on the communicationpath between each ECU with an external connection and each safetycritical ECU.

In another aspect, the present invention further relates to a securitysystem for protecting an industrial control system's electronic systemfrom malicious messages, comprising:

-   -   (i) one or more message receiving units, each message receiving        unit connected to one or more communication buses via one or        more ports, for receiving all messages sent from a source        communication bus to a destination communication bus, prior to        their arrival to said destination communication bus;    -   (ii) one or more message classification units which receive        messages from the one or more message receiving units and        classify them according to the port upon which the message was        received, and according to at least one message property;    -   (iii) one or more message analyzer units which analyze a message        according to its classification from the one or more message        classification units and decide whether to transfer the message        to appropriate transmission unit as is, block the message or        perform at least one of the following actions: (1) transfer a        modified version of the message to the appropriate transmission        unit; (2) limit the rate that such messages can be delivered to        the appropriate transmission unit to predetermined value per        time unit; (3) add a signature to the message and transfer it to        the appropriate transmission unit; (4) verify that the message        has arrived with a valid signature as a condition to transfer it        to the appropriate transmission unit; or (5) transfer the        message to the appropriate transmission unit only after        performing an authentication procedure;    -   (iv) one or more message transmission units which receive from        the one or more message analyzer units messages to be        transmitted to a destination bus, and transmit said messages to        the destination bus.

In some embodiments, at least one bus is a MODBUS, MIL-STD-1553 orMIL-STD-1773 ARINC.

In yet another aspect, the present invention relates to a securitymethod for protecting a vehicle electronic system from maliciousmessages, comprising:

-   -   (i) intercepting messages sent from a source communication bus        to a destination communication bus via one or more ports, prior        to their arrival to said destination communication bus;    -   (ii) classifying said messages according to the port upon which        the message was received, and according to at least one message        property;    -   (iii) analyzing said messages according to their classification        and deciding whether to transfer the message to its destination        communication bus as is, block the message or perform at least        one of the following actions: (1) transfer a modified version of        the message to its destination communication bus; (2) limit the        rate that such messages can be transferred to a destination        communication bus to predetermined value per time unit; (3) add        a signature to the message and transfer it to its destination        communication bus; (4) verify that the message has arrived with        a valid signature as a condition to transfer to its destination        communication bus; or (5) transfer the message to its        destination communication bus only after performing an        authentication procedure;    -   (iv) transmitting messages to their destination communication        bus based on the analysis of step (iii).

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 illustrates an example of a vehicle's electronic system of theart, comprising of ECUs and a communication bus;

FIG. 2 illustrates a more detailed example of a vehicle's electronicsystem of the art, comprising of ECUs with external communications,safety critical ECU's and other ECU's, all ECU's connected to acommunication bus. An external connection is established to theelectronic system from an external communication source to thetelematics ECU;

FIG. 3 illustrates an example of a vehicle's internal electronic systemof the art, comprising of ECUs connected to two communication buses withdifferent speeds, and a bridge or a gateway connecting the two buses;

FIG. 4 is a more general example of the vehicle's internal electronicsystem of the art illustrated in FIG. 3 wherein a gateway or a bridgeare connected to multiple communication buses;

FIG. 5 illustrates two networks of the art separated by a firewall;

FIG. 6 is an illustration of the electronic system illustrated in FIG. 2wherein all the ECU's with an external connection are protected bystandalone security systems (communication filter/proxy), according toan embodiment of the invention;

FIG. 7 exemplifies the integration of the security system (communicationfilter/proxy) as a gateway between three communication buses, accordingto an embodiment of the present invention;

FIG. 8 illustrates the integration of the security system (communicationfilter/proxy) connected serially to an existing gateway, according to anembodiment of the present invention;

FIG. 9 illustrates the integration of the security system (communicationfilter/proxy) as an integrated security system inside an ECU, accordingto an embodiment of the present invention;

FIG. 10 illustrates a general message flow between two communicationbuses connected to a security system (communication filter/proxy), and aconnection to a configuration and diagnostics computer, according to anembodiment of the present invention;

FIG. 11 is a top view illustration of the various modules of oneembodiment of the security system (communication filter/proxy),according to an embodiment of the present invention;

FIG. 12 is flowchart illustration of one example of message handlingdone by the embodiment illustrated in FIG. 11 , according to anembodiment of the present invention;

FIG. 13 illustrates a basic interface's message handler without aconfiguration interface. This is an example of an integrated messagereceiving & transmission unit, without the configuration interface,according to an embodiment of the present invention;

FIG. 14 illustrates an interface's message handler, which also functionsas the message receiving and transmission units. It is an example of anintegrated message receiving & transmission unit, according to anembodiment of the present invention;

FIG. 15 is a flowchart illustrating an example of the message handlingin a message handler such as illustrated in FIG. 14 , according to anembodiment of the present invention;

FIG. 16 is a block diagram illustrating one example of a filter/proxyelement (combined message classification/message analyzer unit),according to an embodiment of the present invention;

FIG. 17 is a block diagram illustrating one example of the filter/proxyelement (combined message classification/message analyzer unit)illustrated in FIG. 16 , according to an embodiment of the presentinvention;

FIG. 18 is a flowchart illustration of one example of a message handlinglogic implemented by a filter/proxy element (combined messageclassification/message analyzer unit) illustrated in FIG. 17 , accordingto an embodiment of the present invention;

FIG. 19 is a block diagram illustration of one example of a timing rule.A timing rule is a rule that can be integrated in a filter/proxy element(in the message analyzer unit) as one of the rules used, according to anembodiment of the present invention;

FIG. 20 is a flowchart illustration of one example of message handled bya timing rule illustrated in FIG. 19 , according to an embodiment of thepresent invention;

FIG. 21 is a block diagram illustration of one example of a proxyelement (in the security system), according to an embodiment of thepresent invention;

FIG. 22 is a block diagram illustration of one example of a linkemulator such as Link emulator A of FIG. 21 , according to an embodimentof the present invention;

FIG. 23 is a block diagram illustration of one example of the proxyelement illustrated in FIG. 21 . This illustration exemplifies the useof a security system containing a proxy to protect a vehicle fromattacks origination from the infotainment system, according to anembodiment of the present invention;

FIG. 24 is a block diagram illustrating one example of a security systemof the invention consisting of one message receiving unit, one messageclassification unit, one message analyzer unit and one messagetransmission unit; and

FIG. 25 illustrates an example of two ECUs with integrated securitysystems of the invention comprising authentication units, and connectedon the same communication bus.

MODES FOR CARRYING OUT THE INVENTION

In the following detailed description of various embodiments, referenceis made to the accompanying drawings that form a part thereof, and inwhich are shown by way of illustration specific embodiments in which theinvention may be practiced. It is understood that other embodiments maybe utilized and structural changes may be made without departing fromthe scope of the present invention.

The figures described herein illustrate blocks. Each block can representany combination of hardware, software and/or firmware which performs thefunctions as defined and explained herein.

Modern vehicles increasingly use more efficient computerized, electroniccomponents and sub-systems instead of mechanical parts. Such systems arecontrolled by ECUs 75, which are connected through one or morecommunication buses 105. In case that more than one communication bus105 exists, the buses 105 are usually connected using bridges orgateways 302. Some of these ECUs 75 controlled systems are safetycritical systems 100, such as the engine control unit 108 or the brakecontrol module 115, and some are less critical or non-critical systems,such as infotainment systems 112 and wireless tire pressure sensors 113.Some of the systems mentioned above are ECU's with external interfaces104, for example, the tire pressure sensors 113 communicate wirelesslywith a receiver on the bus 105, the radio 112 has wireless (radio, RadioData System (RDS), etc.) and local (e.g. media files) interfaces and thetelematics 102 (e.g. On-Star™) has a cellular interface 202.

Though these interconnected computerized systems 75 offer the userincreased performance of the vehicle and additional services, there isan inherit danger in such architecture wherein anyone who gets access toa communication bus 105 of the vehicle may maliciously interfere withthe proper operation of the systems 75 communicating over the bus 105,among them the safety critical systems 100. There are many ways suchattacks can be accomplished once access is gained to a communication bus105. Some examples include: attacking any system 75 directly; sendingmessages constantly over the bus 105 preventing others fromcommunicating (denial of service); impersonating to other devices 75sending false messages; sending messages that will have a harmful effect(press the brakes, disable the Anti-Lock Braking System 115, etc.);sending messages to limit the functionality of a part 75 (limit speedetc.), etc. In today's vehicle architecture, there is no securedisolation between the safety critical systems 100 and the other systems104 and 106.

Some embodiments of the present invention relate to acyber-security-directed design which selectively intervenes in thecommunication path in order to prevent the arrival of malicious messagesat ECUs 75 (in particular at the safety critical ECUs 100). The securityperspective suggests that more damage can be caused by passing apotentially unwanted message than by blocking or changing it. However,there may be reliability implications. In a cyber-security-directeddesign, reliability issues can be solved using methods described herein.

In some embodiments, the security system of the invention includes afilter which prevents illegal messages sent by any system or device 75communicating over the communications bus 105 from reaching theirdestination. The filter of the invention may, at its discretionaccording to preconfigured rules, change the content of the messages orlimit the rate such messages can be delivered, by buffering the messagesand sending them only in preconfigured intervals. The rules in thefilter of the invention, which determine which messages are allowed andwhich are not allowed and the rate of the messages, can be configuredusing an external interface of the filter. The security system can belocated, for example, between each system component which has anexternal interface 109 and the communication bus 105, protecting the bus105 and the electronic devices 75 connected to it from the component109.

In some embodiments, the security system of the invention has at leasttwo bus 105 interfaces and can filter messages in each direction. Thefiltering is done in any appropriate way, for instance, according to themessage's properties (such as message headers, data, etc.) and/oraccording to inner state properties of the security system (such as thephysical interface through which the message was sent, the timings,etc.) or any combination of the above.

In some embodiments, the security system has proxy capabilities. A proxysaves the state of the communication protocols over one or more of itsphysical interfaces. It also independently manages the communicationprotocol over each of its interfaces (such as sending keep-alivemessages to the radio without involving other components 75).

In some embodiments, the security system has gateway 302 capabilities.It can connect two or more communication buses 105 which may havedifferent physical properties.

In some embodiments, the security system can save its configurations ina non-volatile memory, and the configurations and the non-volatilememory may be updated from an external source.

In some embodiments, the security system may save statistics, monitoringdata etc. internally for later usage, for example, when such data isread externally later.

In some embodiments, the security system can internally update thenon-volatile memory contents.

In some embodiments, the security system can be integrated insidecurrent ECUs 75, between the physical driver and the logical part of theECU 75, saving the need for additional physical interfaces for thesecurity system. In other embodiments, the security system can be astand-alone security system. The stand-alone security system of theinvention can be coupled to a single ECU 75, coupled to a plurality ofECU's 75 or not coupled to any ECU 75.

In some embodiments, the security system can be integrated into a systemcontaining one or more communication buses 105 and ECUs 75. It can learnthe communication properties of the different parts 75 of the system,build filtering rules in an autonomic fashion, and filter when thelearning phase is over.

Some embodiments may include a combination of any of the aforementionedembodiments.

Other aspects of the currently disclosed subject matter will becomeapparent by consideration of the detailed description and theaccompanying drawings.

System Integration and Placement

There are several potential embodiments of the invention from a systemintegration point of view. In some embodiments, the security system willact as a protection system or device between at least two communicationbuses 105 or components 75.

Attacking an automobile (without physically tampering or pre-installinga backdoor) requires logical access to its electronic components 75. Thesuggested integration positions of the security system of the invention,according to some embodiments, prevent an improper logical accessoriginating from external interfaces 202 from reaching safety criticalcomponents 100. Therefore, the integration of the security system canprotect from life threatening cyber-attacks. Assuming the securitysystem is configured correctly, a potentially hermetic protection isachieved.

In some embodiments, when dealing with chip tuning, unauthorized ECU 75replacement and vehicle theft, the security system of the invention canbe coupled with ECUs 75 that need to be protected and/or authenticated(e.g. antitheft ECU 75, immobilizer 110, engine control unit 108, etc.)

If the security system has a configuration port, in some embodiments theconfiguration port will not be connected to any untrusted communicationbuses 105.

In some embodiments, the configuration port can be connected in-band,i.e. to one or more of the communication buses 105, given it isprotected in some manner. In some embodiments, this in-bandconfiguration is optional and can be disabled after the initialconfiguration stage (e.g. during vehicle manufacturing or assembly) iscompleted. In some embodiments, special configuration messages sent overthe communication bus 105, will be transferred to the configurationinterface for processing, and will cause a change in the configuration.

Standalone Device

FIG. 6 illustrates stand-alone security system integration, according tosome embodiments. FIG. 6 is an illustration of the electronic system 101illustrated in FIG. 2 protected by standalone security systems (referredto as communication filter/proxy devices) 703 of the invention. All ECUswith external communication interfaces 104 are protected by stand-alonecommunication filter/proxy protection devices 703. The ECUs 104 areconnected to the security system 703 via an interface 119. The interface119 can be any communication interface including a communication bus105.

In some embodiments, the security system 703 is a stand-alone system ordevice. The security system 703 has at least two communicationinterfaces and may additionally have a configuration port.

In some embodiments, the security system 703 is placed between an ECUthat has an external interface 109 (physical or wireless e.g. radio ortelematics) and the communication bus 105. Each ECU which has anexternal connection 109 may be serially connected to the security system703 in order to protect other ECUs 75 from the communication originatingfrom it.

In some embodiments, the security system 703 is integrated with ECUsthat don't have an external interface 106 in order to deal with threatssuch as vehicle theft, chip tuning, unauthorized ECU 75 replacement etc.

In some embodiments, the power supply to the security system 703 iseither external or originates from the communication interfaces (adedicated line or bootstrapped from the communication bus 105).

Optionally, the stand-alone security system 703 can electrically drivethe communication bus 105 attached to it (e.g. provide negative voltageand termination on a CAN bus 105). This option may be configurable foreach of the communication ports, depending on the implementation. Thisoption emulates the physical properties of the bus 105 towards anysegment it is connected to. In case of retrofitting; it saves the needto install an additional physical driver to the bus 105.

In some embodiments, this integration allows for the retrofitting of anautomobile, without replacing existing ECUs 75.

In some embodiments, when each security system 703 generally handlesonly one ECU 75, its configuration and operation is rather simple, andit can be implemented with simple hardware architecture (compared toother alternatives).

Gateway Device

In some embodiments, the security system 703 is a stand-alone system ordevice. The security system 703 has at least two communicationinterfaces and may additionally have a configuration port.

In some embodiments, the security system either replaces an existinggateway/bridge 302, as shown in FIG. 7 , or is integrated between agateway/bridge 302 and one of their connected communication buses 105 asshown in FIG. 8 .

Optionally, the security system 703 can electrically drive thecommunication bus 105 similarly to the stand-alone security system ordevice 703 described above.

In some embodiments, if the security system 703 replaces an existinggateway/bridge 302, it will also function as one (e.g. convertingprotocols, connecting the buses 105).

In order for this type of integration to be effective, an appropriatearchitecture of the automobiles' communication buses 105 must beimplemented. In some embodiments, the design may have to include asecurity system of the invention 703 in every path between a safetycritical ECU 110 and an ECU with an external interface 109 (e.g. all theECUs with an external connection 104 are connected to a single segment105, separated from the other ECUs 75 by a security system 703).

In some embodiments, such integration allows for the retrofitting of anautomobile without replacing existing ECUs 75.

In some embodiments, each security system 703 has to handle thecommunication of several ECUs 75 connected to the bus. Therefore, theconfiguration and implementation is potentially more complex, and morecomplicated hardware is required. Such design may require an integrationof a single security system 703. On one hand, such a security system 703may be more complex and expensive. On the other hand, it substitutesmultiple simpler security systems 703; therefore it may be financiallyworthwhile. Additionally, the design requires a single point ofconfiguration which may become more convenient for design andmaintenance.

Integrated Security System

In some embodiments, the security system 703 is integrated inside an ECU905 as depicted in FIG. 9 . The security system 703 has at least twocommunication ports 901 and 903, one 903 connected to the physical layerdriver 904 and the other 901 connected to the rest of the ECU's logic900 (e.g. ECU's controller) using its native physical layer (e.g.Complementary Metal Oxide (CMOS) or Transistor Transistor Logic (TTL)).The physical layer driver 904 is connected to the communication bus 105.

In some embodiments, the integration of the security system 703 insidean existing ECU 905 will save many components (e.g. power supply,mechanical casing, physical drivers etc.) thus making the design cheaperand more robust.

In some embodiments, the security system 703 will be integrated in thesame ECUs 905 (those with external interfaces 104) and with the sameconfigurations as in the case of a stand-alone security system 703.

In some embodiments, integration will enable a supplier of ECUs 75 tointegrate a security solution 703 done by a trusted 3rd party, thusproviding a complete and secure ECU 905.

In some embodiments, this solution will not allow for retrofitting intoexisting ECUs 75. However, it will be viable for new designs. Thissolution embodies all of the advantages of the stand-alone securitysystem 703.

When referring to an ECU 75 coupled with a security system it may alsorefer to an ECU with an integrated security system as in the case of905.

Internal Design

For clarity reasons, the security system's 703 core which is responsiblefor the security aspects of the security system 703 (e.g. filtering orserving as a proxy) is referred to in some embodiments described hereinas “filter element” or “proxy element”. However, it is possible that anelement designated as “filter element” may also provide proxyfunctionality, and/or an element designated as “proxy element” may alsoprovide filter functionality. All these variations and combinations areencompassed by the present invention.

Additionally, for simplicity's sake the message flow is depicted in someembodiments herein as if a simple rule based filter is used, although amore complex rule based filter can be applied and is encompassed by thepresent invention. For example, multiple rules can be applied to thesame message.

Top View

FIG. 10 illustrates the security system's 703 general overview, in whichthe filter/proxy element 1304 (which functions as the messageclassification unit and the message analyzer unit) connects to twocommunication buses 105 using two message handlers 1801, according tosome embodiments of the present invention. In some embodiments, thefilter/proxy element 1304 receives messages from one of these buses 105through an input buffer 1302 (of the message handler 1801), filtersthese messages, and sends the filtered messages through the appropriateoutput buffer 1303 (of the message handler 1801), to the othercommunication bus 105. The security system 703 can also serve as afiltering gateway between two different buses 105 and do any necessaryconversions (such as protocol conversions) between the buses 105, asseen in FIG. 7 .

In some embodiments, as seen in FIG. 10 the security system 703 can beconfigured by an external device (e.g. configuration/diagnosticscomputer) 1408, through an out of band (OOB) interface such as a serialconnection (e.g. RS-232). The configuration affects the securitysystem's 703 behavior, the messages it lets through, changes or blocks,and any other of its configurable properties. The new configuration canbe saved so next time the security system 703 resets, the newconfiguration will run at startup.

The message handler 1801 includes (1) a message receiving unit forreceiving a message to its input buffer 1302 from the communication bus105; and (2) a message transmission unit for transmitting a message fromits output buffer 1303 to the communication bus 105.

FIG. 11 illustrates the security system's 703 top view in more detailthan illustrated in FIG. 10 , according to some embodiments of thepresent invention. Messages arriving into message handler 1801(described in more detail in FIG. 14 , and also functions as the messagereceiving unit and the message transmission unit) through the physicalinterface I/O 1800, or any other interface of it, are sent to the properinterface. If sent to the configuration interface, it will be handled bythe configuration, statistics and control module 1807 which can handleit in any configured way (e.g. send it through the OOB interface I/O1806 out of the system for logging, inspection, or any other purpose).If the message is sent to the filter/proxy element 1304, it inspects itand decides whether to send it to the destination interface or not. Ifthe message is to be sent to the destination interface by thefilter/proxy element 1304 (combined message classification unit andmessage analyzer unit), it is sent to the appropriate message handler1801. The message handler 1801, handles the message in some embodimentsas depicted in FIG. 14 and FIG. 15 , and sends it to the properdestination interface (e.g. physical interface I/O B 1800). Theinterfaces 1808 between the message handlers 1801 and the filter/proxyelement 1304 are named “proxy interface” and they fit both filtersand/or proxies (they can also be referred to as “filter interface” or“filter and/or proxy interface”).

Some embodiments of the described process are illustrated in FIG. 12 .In step 3200, a message is received in the message receiving unit of themessage handler's 1801 interface, e.g by its physical interface, and issent to one or more of its interfaces in step 3201. If the message is tobe sent to the physical interface, it's sent to its physical interfacein step 3202. If the message is to be sent to the configurationinterface 1602, it is handled by the configuration interface 1605according to its functionality, e.g. printed on the screen of theoperator, written to a log, etc. in step 3204. If the message is to besent to the filter/proxy interface 1604, it is sent to the appropriatefilter element 1304, and is classified by its message classificationunit in step 3203, which sends it to the filter element's messageanalyzer unit. The filter element 1304 then checks the legality of themessage (by the message analyzer) in step 3205. If the message isillegal, it will be discarded in step 3206. If the message is legal, itis sent to its destination (which can be the opposite message handler1801) in step 3207.

Message Handler

FIG. 13 depicts the simple form of the message handler mechanism 1801each (filter/proxy element 1304) interface has, according to someembodiments of the present invention. In some embodiments, each messagearriving from a physical interface 1800 is processed by a messagereceiving unit of a message handler 1801 and sent to the input buffer1302 of the filter/proxy element 1304. Each message which originatesfrom another interface's message handler and is destined to interface1800 and allowed by the filter/proxy element 1304 is sent to theappropriate output buffer 1303. From the output buffer 1303 it is sentto the message transmission unit of the message handler 1801 and sentout to the physical interface 1800. The message receiving unit and themessage transmission unit can be either separate units, or integratedtogether into a message handler 1801 for more efficient two-waycommunications with a communication bus 105.

FIG. 14 describes a more complex form of the interface's message handler1801 than described in FIG. 13 , according to some embodiments of thepresent invention. Each message arriving from a physical interface I/O1800 to the physical interface 1602 through the transceiver 1301 goesinto the routing component 1603. The routing component can determine themessage's inner headers (such as message source or any other informationabout the message) and then decides towards which destination to sendthe message, according to its routing algorithm. The possibledestinations include, but are not limited to, zero or more of theinterfaces illustrated in the figure through their respective inputbuffers, such as: the physical interface 1602, the filter/proxyinterface 1604 or the configuration module interface 1605. There can beany number of other such interfaces as well. The message is sent to theproper interface which handles it. The routing component 1603 can beconfigured through the configuration module 1807 (the configurationdataflow is not explicitly drawn), to change its behavior, such aschanging its routing tables or routing algorithm. Messages arriving fromthe filter/proxy element 1304 through its I/O interface 1808 are sent tothe routing component which sends them to the proper interface asdescribed above. Messages arriving at the configuration module interface1605 from the routing component are sent to the configuration module1807 through the configuration output buffer 1607 and the externalinterface transceiver 1608. The external interface transceiver 1608 canbe implemented as a software and/or hardware module. In someembodiments, the external interface transceiver 1608 is optional and canbe omitted. The configuration module 1807 handles messages in variousways, e.g. print on the operator screen (if such thing exists), and canbe used for any purpose, e.g. inspection, sending messages, controllingor debugging the system. FIG. 15 describes the message flow in theinterface's message handler 1801, according to some embodiments. Amessage is received by the message receiving unit in one of the messagehandler's interfaces in step 3200. The message headers of the messagecan then be determined in step 3301, and the message's appropriaterouting is decided in step 3302. The message is then sent to itsdestination interface in step 3303. The classifier and analyzer are partof the filter/proxy element 1304, so only if the message is directed tothe filter/proxy element 1304 they will handle it. The other optionsrouting a message are to the physical interface 1602 or theconfiguration interface 1605. Since the classifier and analyzer are notpart of the message handler, 1801 they are not described here. Theinterface's message handler 1801 may collect and save any statisticsinformation about the system and the messages being sent to it or fromit (e.g. the number of messages that were received from or sent to eachinterface).

In some embodiments, each filter element 1304 is coupled with at least 2such message handlers 1801 and each proxy element 1304 is coupled withat least one such message handler 1801, one for each interface that theyare connected to.

Configuration Module

The “configuration module” 1807 denotes the “configuration, statisticsand control module” 1807 (some embodiments being illustrated in FIG. 11).

In some embodiments, the configuration module 1807 is connected to theInterface's messages handler 1801 using two types of connections: amessages connection 1609 and a configuration connection 1810. Theconfiguration module 1807 can send or receive messages to/from theinterface's message handler 1801 through the messages connection 1609.The configuration module 1807 is connected to the filter/proxy element1304 using a configuration connection 1810. The configuration module1807 controls the configuration of the filter/proxy element 1304 and themessage handlers 1801 through the configuration connection 1810,changing their behavior, logging their activities, and/or any otherconfigurable change they support. This module 1807 is controlledexternally using an OOB interface (external interface I/O) 1806, whichcan be any data interface (e.g. Universal Asynchronous ReceiverTransmitter (UART) interface). The configuration module 1807 can alsohave a non-volatile memory 1805 connected to it (e.g. flash memory).This memory 1805 stores data which is used by the configuration module1807. Such data can include, but is not limited to, different systemconfigurations to be loaded into the system components (e.g. the filterelements 1304 and the interfaces' message handlers 1801), andstatistical information. It might also, but not necessarily, be possibleto manipulate this memory 1805, through the OOB interface 1806 ordirectly. Such manipulation may include, but is not limited to, deletingthe memory, copying it, dumping it, copying new information into it,etc.

In some embodiments, the configuration module 1807 can be connectedin-band, i.e. to one or more of the communication buses 105, given it isprotected in some manner. In some embodiments, this in-bandconfiguration is optional and can be disabled after the initialconfiguration stage (e.g. during vehicle manufacturing or assembly) iscompleted.

Filter/Proxy Element

FIG. 16 illustrates a simple example of a filter/proxy element (combinedmessage classification and message analyzer units) 1304, built from twointerface filtering components 2001, according to some embodiments ofthe present invention. Each interface filter component 2001 filtersmessages arriving from its input interface (message receiving unit) andsends them after filtering to its output interface (message transmissionunit). A more detailed example of 2001 is illustrated in FIG. 17 ,according to some embodiments. A message arrives from the proxyinterface input 2000 of the message handler 1801, and goes into the ruleselector 2100 of the message classification unit (also referred to asclassifier), which according to the message properties (such as headers,source, destination, data, or any other properties) sends it to theproper rule 2102 in the message analyzer unit. If no proper rule isfound, the rule selector rejects the message according to its policy(possible policies are described below). The appropriate rule 2102 (ofthe plurality of rules 2102) which receives the message checks it morethoroughly and decides whether the message should be allowed or not, orshould be modified. The action upon the result of a rule 2102 is part ofthe message analyzer's unit. If the message should be allowed, the rule2102 passes the message to the proxy interface output 2002 connected tothe message transmission unit of the message handler 1801. If themessage should be changed, the rule 2102 (of the analyzer) can make thenecessary changes and pass the message to the proxy interface output2002 connected to the message transmission unit. In some embodiments, ifthe message should not be allowed, the rule selector 2100 is notifiedand it chooses the next proper rule 2102 for the message or rejects themessage according to its policy. If no more proper rules 2102 are found,the rule selector 2100 acts according to its policy in such case. Therule selector 2100 policy may include, but is not limited to, discardingthe message, notifying the sender, or performing any preconfiguredaction. A rule 2102 can be of any type and can also be timing rule aswill be described below. A rule 2102 may require that a message issigned, that a message signature is verified, or conditionaltransmission of a message as described in the authentication modulesection below. It should be clear that the term rule 2102 encompassesany combination of a plurality of rules 2102, thus more than a singlerule 2102 can apply to any one message. The number of rules 2102 is notlimited and can vary. In some embodiments, the configuration module 1807may also control the adding or removing of rules 2102 dynamically. Arule 2102 can contain any filtering logic to decide whether a message islegal or not. Such logic may include but is not limited to, propertiesof the message, message's headers, message's content, message length,the filter state, timings of the message or any other parameters orproperties or any combination of these properties, in a whitelist orblacklist manner. An example of a filtering logic can be checking thatthe message destination is ‘y’, the ID of the message is between ‘xx’ to‘zz’, the message data length is 3 and the first two bytes of themessage are ‘aa’ and ‘bb’.

FIG. 18 illustrates an example of the filter logic and the message flowdescribed, according to some embodiments. The message is received in theproxy interface input in step 3000 and is delivered to the messageclassification's unit rule selector 2100, which selects the nextappropriate filter rule 2102 to filter the message with in step 3001. Ifno appropriate rule 2102 was found, the message can be discarded in step3206. If a rule 2102 was found, the message is checked by the rule 2102(by the message analyzer unit) for its legality according the rule 2102in step 3003. If the message is not legal according to the rule 2102, itreturns to the rule selector 2100 to select the next appropriate rule2102 in step 3001. In some embodiments, if the message is legalaccording to the rule 2102, it is sent to the proxy interface output2002 in step 3207.

Timing Rules

FIG. 19 describes a timing rule 2300, which is a type of rule 2102 thatcan be added to the rules 2102 list (e.g. as rule 2102) in the filterelement 1304 described above, according to some embodiments of thepresent invention. The difference between a timing rule 2300 and aregular rule 2102 is that the timing rule 2300 does not only filter theincoming messages, but it also applies rate limit according to a policywhich can also include traffic shaping of the communication, forexample, sending messages to the proxy interface 1808 in predefinedtimings (leaky bucket), thus preventing denial of service (DOS) attacks.When the rule selector 2100 sends the received message to a timing rule2300, the filtering logic 2301 works as in a regular rule 2102. In casethe message is allowed, it is sent through interface 2302 to the ruleoutput buffer 2303, in which it is buffered and waiting to be sent tothe proxy interface output 2002. When the right timing arrives, thetiming function 2305 checks whether there are messages waiting in theoutput buffer 2303, and if so, pulls a message out through interface2304 and sends it to the proxy interface output 2002. In case themessage is illegal, the filtering logic 2301 will reject the message. Inany case, be it a legal or illegal message, the rule selector 2100 canbe notified of the operation's result.

FIG. 20 illustrates an example of the timing rule 2300 logic and themessage flow described, according to some embodiments. The message isreceived in the proxy interface input 2002 in step 3000 and is beingfiltered as in a regular (not timing) rule 2102 in step 3101) If themessage is illegal, it is discarded in step 3102. In case the message islegal it is stored in the output buffer of the timing rule 2300 andwaiting to be sent in step 3103. When the time arrives, the timing taskof the rule 2300 transfers the message waiting in the output buffer tothe transmission unit to be sent to its destination in step 3104. Theadvantage of using a timing rule 2300 is preventing DOS attacks.Examples of such DOS attacks include, but are not limited to, rapidmessage sending and planed timing of message sending. Additionally thistype of rule can help deal with malfunctions sending many messages overthe communication bus 105 which leads to DOS. Another advantage is theability of such filter to bridge between two buses 105 with differentcapabilities of handling messages pace. This type of filter 703 is quitesimple to configure compared to other stateful filters and can handlemany threats.

Proxy

FIG. 21 illustrates the proxy element 2500 design, according to someembodiments of the present invention. The proxy element 2500 isconnected to one or more message handlers 1801 through interfaces 1808.Each proxy element 2500 is composed of link emulators (one for eachinterface) 2501, and one state filter and updater 2502. A proxy element2500 emulates the operation of one bus 105 segment towards the otherwithout allowing direct communication between the segments. All themessages transferred towards any segment using a proxy element 2500 arecreated by the proxy element 2500 using its state machines and rules(unlike a conventional filter that allows messages that are not blockedto pass).

In some embodiments, it is possible to use a proxy element 2500connected only to one message handler 1801, in case there is a need toemulate a disconnected side as if it was connected. An example to suchcase can be assembling a radio which needs a connection to the vehiclewithout making the connection, by emulating such connection using aproxy element 2500.

FIG. 22 illustrates one embodiment of a Link Emulator 2501 whichemulates a communication protocol between two or more participantstoward the participants that are connected to its emulated side (e.g. ifTCP is the protocol, the emulator will send Ack (Acknowledge) messagesfor each message received), according to some embodiments. The linkemulator 2501 manages and saves a state of the communication (e.g. ifTCP is the protocol, the emulator will save a window of the Acknowledgedmessages). The state that the link emulator stores may include any dataand meta-data related to received and sent messages. The link emulator2501 can update the state filter and updater passively or actively withits current state. The communication will be affected by the linkemulator's state, the received messages and the time.

In some embodiments, the link emulator 2501 illustrated in FIG. 22consists of a protocol abstraction layer/high level driver 2601, a statemachine 2602 and state/configuration data module 2603. A protocolabstraction layer 2601 acts as an abstraction layer of the communicationprotocols the proxy element 2500 handles. It communicates in arelatively simple manner with the state machine 2602, by sendingmessages metadata, status and commands through interface 2604. The statemachine 2602 implements the logic the link emulator 2501 includes. Thelogic the state machine 2602 implements includes, but is not limited to,updating the state, immediately responding to events etc. (e.g. uponreceiving a TCP message it updates the window stored in 2603, changingthe state and sends an Ack message through the protocol abstractionlayer 2601). The state/configuration data module 2603 stores the currentstate of the link emulator 2501 and can be accessed both by the statemachine 2602 and the state filter and updater 2502. The state machine2602 and the state/configuration data 2603 modules communicate bysending states to each other through the state interface 2605.

In some embodiments, the state filter and updater 2502 reads the statefrom each link emulator 2501 using the read-state link 2504 passively oractively and according to the proxy logic it configures the state oneach of the link emulators 2501 through the configuration link 2503. Insome embodiments, messages are never directly transferred between linkemulators 2501; the only communication between link emulators 2501 is byusing a state update. The state filter 2502 will enable only legitimatestates to pass between link emulators 2501.

In some embodiments, the logic of the proxy element 2500 is eitherhardcoded or configurable.

Existing conventional stateful filters have an internal state machinethat tries to emulate the state of the transferred messages and when thestate machine discovers an anomaly, messages are discarded. When thefilter's state machine is different than the state machine used by thecommunicating parties an inconsistent state may occur between the filterand the communicating parties, allowing forbidden communication to pass(e.g. different TCP timeout configuration). In some embodiments,allowing only a state to pass between the link emulators and correctlydesigning the proxy, can solve the aforementioned problem.

A proxy application example according to some embodiments of thecurrently disclosed subject matter is now described:

A radio 112 often uses the vehicle's integrated display to displayinformation (e.g. radio station frequency). The example assumes a normalradio-vehicle communication is between the radio and the display system.The display system sends its model type and repeatedly sends akeep-alive message. The radio 112 communicates with the display system,queries the model type and sends display data according to the display'scapabilities.

A proxy element application 2700, as seen in FIG. 23 , consists of alink emulator 2701 towards the vehicle 2708, a link emulator 2703 towardthe radio 112 and a state filter and updater 2502, according to someembodiments. The proxy element is only a part of the security system703, which was omitted from the figure for the sake of clarity.

The link emulator 2701 towards the vehicle 2708 is connected between thevehicle 2708 and the state filter and updater 2502. It holds theformatted text (display data) 2704 designated for the display and thedisplay type (state) 2705. At startup, this link emulator towards thevehicle 2701 queries the display system for its type, stores theinformation in 2705 and sends it to the state filter and updater 2502.The link emulator towards the vehicle 2701 is in operational mode if itholds a valid display data and a valid display type. When in operationalmode the link emulator 2701 sends messages containing display data onevery display data change according to the display type.

The link emulator towards the radio 2703 is connected between the radio112 and the state filter and updater 2502. It contains the same type ofregisters as the link emulator toward the vehicle 2701. At startup, thelink emulator 2703 waits to receive a display type from the state filterand updater. Once the link emulator 2703 has a valid display type in2707 it responds to queries for the display type received from theradio. The link emulator 2703 sends repeated keep-alive messages to theradio. The link emulator 2703 stores the data from the display messagesreceived from the radio in the display data register 2706. If thedisplay data register 2706 is changed, the link emulator 2703 sends thenew state to the state filter and updater 2502.

The state filter and updater 2502 receives the display type from thelink emulator toward the vehicle 2701. If the display type is valid, thestate filter and updater 2502 sends it to the link emulator towards theradio 2703. The state filter and updater 2502 receives the display datafrom the link emulator towards the radio 2703. If the display data isvalid, it sends the data to the link emulator towards the vehicle 2701.

It must be understood that the rules 2102 described above are merely anexample of possible types of rules 2102, and rules 2102 can also be anykind of other rules 2102, or any combination of them. There is apossibility to combine rules 2102 in a row, such that the output messageof one rule 2102 will be sent as an input to the next rule 2102. A rule2102 can also change the message properties, content, or any other datarelated to the message, before sending it to its output interface 2002.Any person skilled in the art and reading the current specification willimmediately be able to advise different types and combination of rules2102, and all these rules 2102 are encompassed by the present invention.

Critical ECUs with External Communication

Some previously described embodiments related to protecting safetycritical ECUs 100 which do not have any external communicationinterfaces. However, in embodiments where safety critical ECUs 100 haveexternal communication interface(s) the security system 703 can also beused to protect ECUs 75 as described in this section.

In some embodiments, safety critical ECUs 100 have an externalcommunication interface (e.g. some vehicle to vehicle (V2V)communication ECU are able to command the vehicle to brake). Such an ECUcould send critical messages (i.e. having effect on the vehicle'sbehavior) and non-critical messages (e.g. traffic information). Thenon-critical messages can be filtered in the same manner as described inprevious sections.

In some embodiments, some ECUs responsible for safety 100 (e.g.Electronic stability control (ESC) 110 or Mobileye) have the ability tosupervise messages arriving from the driver (e.g. an ESC ECU monitorsthe brake pedal and prevents skidding because of braking). Such an ECU110 can supervise specific critical messages, and prevent harm caused bythese messages. These messages are denoted by ECM (external criticalmessages).

In some embodiments, the security system 703 can allow the relevant ECM(i.e. ECM supported by the critical external ECU) to pass towards thevehicle's inner bus 105 as long as these messages are supervisedeffectively by a safety ECU. In this manner critical and potentiallylifesaving critical messages are supported securely by the vehicleselectronic system 101. Such a security system 703 can also be used incase there is no relevant safety ECU, but in such case it will bepossible to attack the vehicle using the allowed critical messages.

In some embodiments where an ECU with an external communication has theability to send critical messages to the communication bus 105, thedriver should have the ability to manually override or disable themessages from this ECU.

MODBUS and Other Control Protocols

MODBUS is a protocol extensively used in industrial control systems.Similarly to CAN bus 105, it is a simple protocol used by controllers.Additionally, several other control protocols with similarcharacteristics exist such as FlexRay, VAN bus, LIN bus etc. Theembodiments described above for CAN bus can be applicable for othercommunication protocols, such as MODBUS, mutatis mutandis.

In some embodiments, the main difference between the implementation of afilter and/or proxy 703 for CAN bus 105 and any other protocol is thephysical layer and the specific filter logic. Different protocols havedifferent message characteristics thus requiring different type offiltering (e.g. a MODBUS filter takes a special notice to the functioncode field). The proxy logic may be different but the proxy concept isthe same: The link emulator 2501 has to handle communication withspecific communication protocol (e.g. message handling and specificstate machine 2602 for the protocol). The state filter and updater 2502filters and updates the state as the CAN bus 105 proxy state filter andupdater.

MODBUS is built as master-slave architecture, meaning there is onemaster and one or more slaves connected to the bus 105. The master cansend a request (e.g. read or write data command) to one or more slaves,and the relevant slaves should act according to the request and sendtheir response to the master over the bus 105.

In some embodiments, a proxy 703 protecting such communication bus 105may save the sent request properties, and allow only the relevantresponse to pass towards the master (e.g. the request and response canbe characterized by their function code).

In some embodiments, the said proxy 703 can also generate the receivedrequest and/or response by itself according to the messages it receives,and send the generated message instead of the original message.

In some embodiments, a proxy 703 may block requests originating from anycomponents which should not function as the master on the bus.

Authentication Unit

In one embodiment of the present invention, the security system 703 alsofunctions as an authentication unit. The authentication unit can beanother module of the security system 703 of the invention.

The authentication unit of the invention is responsible for verifyingthat communication is performed with authentic counterparts inside oroutside the vehicle's electronic system 101. Authentication units can beintegrated with ECU's 75 and in particular with ECU's 75 that don't havean external communication interface. For better security, anauthentication unit can be coupled to every safety critical ECU 110,every valuable ECU 75 and every ECU with an external communicationinterface 109.

The authentication unit can employ one or more mechanisms forauthentication of a communication source or destination. In someembodiments, authentication units can be the source or destination ofmessages. These mechanisms are, for example, authentication of a sourceor destination element (that sends or receives messages); conditionaltransmission of messages based on a successful authentication; andsignature and/or signature verification of messages.

In some embodiments, the authentication unit can also encrypt and/ordecrypt messages. This type of encryption can be used for secrecy,integrity, authenticity etc.

Authentication—any authentication unit (stand-alone or coupled to orintegrated with an ECU 905) can perform an authentication procedure withany other authentication unit (stand-alone or coupled to or integratedwith an ECU 905). In some embodiments, a stand-alone authentication unitcan be coupled with a bus 105. In some embodiments, a stand-aloneauthentication unit can be coupled with one or more ECU's 75. In someembodiments, the authentication unit is integrated with one ECU 905(i.e. the authentication unit is included inside the ECU 905 as part ofthe security system 703). In some embodiments, the authentication unitis a stand-alone security system 703 that is not coupled with any ECU 75when proving its existence itself is meaningful, for example, forproving that a general sub-system was provided by a valid supplier. Insome embodiments, referring to authenticating an ECU 75 meansauthenticating the authentication unit coupled with it.

In some embodiments, each authentication unit is configured with a listof all the authentication units in the system 101 with whichauthentication is required. Each authentication unit can periodicallyinitiate an authentication process with any other authentication unit.The period after which the authentication must be renewed can be fixedor variable per authentication unit. The authentication process caninvolve a challenge message from one authentication unit to another. Thereceiving authentication unit then responds to the challenge with aresponse (typically encrypted). The authentication unit that has sentthe challenge message verifies the response and if correct, marks thatauthentication unit in the list as authenticated. If the response is notcorrect, the challenge may be repeated one or more times, after whichthat authentication unit will be marked in the list as unidentified (notauthenticated).

The challenge and response messages flow between authentication units asregular messages in the vehicle electronic system. These messages arereceived by a receiving unit. The classification unit classifies them aschallenge/response messages and sends them to the message analyzer unitwhich handles them.

The message analyzer unit is capable of initiating challenge messageswhen it is necessary to authenticate an ECU 75 before delivering amessage to it or considering a message from it.

In some embodiments, the authentication process can also be initiated byan authentication unit, when the authentication unit or the ECU 75 towhich it is coupled, are programmed to periodically authenticate ECU's75 on its authentication list.

In some embodiments, the authentication process can be one-way ortwo-way. In a one-way authentication process, each authentication unitsends a challenge to the other. That is, authentication unit Achallenges authentication unit B, and authentication unit B challengesauthentication unit A. In a two-way authentication process, thechallenge message sent by authentication unit A to authentication unit Bis sufficient for authenticating authentication unit A, andauthentication unit B does not need to issue its own challenge messageto authentication unit A.

In some embodiments, the authentication process can be multi-way, thatis authentication unit A broadcasts a challenge and/or response messagethat reaches a plurality of authentication units over one or morecommunication buses 105.

Conditional Message Transmission Based on Authentication—the messageanalyzer unit can be configured to transmit a message only if anauthentication requirement is fulfilled. Examples of authenticationrequirements include but are not limited to: that the sourceauthentication unit is authenticated; that the destination ECU 75 isauthenticated; that any other ECU 75 (not source or destination) isauthenticated; that any combination of ECU's 75 are authenticated etc.The authentication requirement can be against the source, destination orany other ECU 75.

When a message that requires authentication arrives to the messageclassification unit, the message is classified as requiringauthentication against ECU X 75, and the message is sent to the messageanalyzer unit. The message analyzer unit verifies if ECU X 75 isauthenticated. If ECU X 75 is authenticated, the message analyzer unitcontinues to process the message. If ECU X 75 is not authenticated, themessage analyzer unit can decide either to discard the message or toissue a challenge message to ECU X 75 to see if it authenticates itself.

It should be emphasized that the authentication requirement does nothave to involve necessarily the source or destination ECU 75. Forexample, when ECU 1 75 sends a message to ECU 2 75, it may be requiredthat ECU 1 75 is authenticated with ECU 7 75 before the message can betransmitted to ECU 2 75.

Signature and Verification—One of the actions that the message analyzerunit can perform relates to the signature of messages. When a messagearrives with a signature, the analyzer unit can verify that signature isvalid. The analyzer unit can also add a signature to a message beforetransferring it to the transmission unit.

FIG. 24 illustrates a basic one way communication filter/proxy securitysystem 703. A message received by the physical port input 1800 isinserted into the message receiving unit in message handler 1801. Themessage receiving unit transmits the message through the proxy interfaceinput 2000 to the message classification unit (classifier) 2100 in theone way filter/proxy element 1304. The classifier 2100 classifies themessage and sends the message and the message classification to theaction selector 2801 in the message analyzer unit 2800, which choosesthe proper action according to the classification. The message analyzerunit 2800 performs an action 2102 (without loss of generality) on themessage according the classification and sends a message (if needed)through the proxy interface output 2002 to the message transmission unit1801. The message transmission unit in the message handler 1801transmits the message to the physical port output 1800.

FIG. 25 illustrates one embodiment of the process of verifying/signingmessages between communication filter/proxy (security systems) A and B905. A message is sent by an ECU A logic 900 to a communicationfilter/proxy A 905 (containing rules for an authentication unit 2900,which illustrates the group of rules 2102 in charge of theauthentication and signature processes). The ECU logic 900 is basicallypart of or all of the processing mechanisms of the ECU 905 except forthe physical layer driver/transceiver 904 which is in charge ofphysically sending the communication signals to the outside world, whichis a communication bus 105. The message arrives to the classificationunit 2100 which classifies the message as “signature required againstcommunication filter/proxy B” 905. The analyzer unit 2800 receives themessage and proceeds to sign it against communication filter/proxy B905. The signature process involves modifying the original message byadding a signature to it (in a predetermined format). The analyzer unit2800 can further process the message (in addition to the signature) inaccordance with the classification instructions received and generalrules 2102 of the analyzer 2800. The analyzer unit 2800 will then sendthe message to the message transmission unit in the message handler 1801which will send the message to its destination 904, which is a physicallayer driver (port) of A.

The message will then arrive to its destination port 904 in ECU B 905,and will be transferred to the receiving unit in the message handler1801 in communication filter/proxy B 703 and from there to theclassification unit 2100. The classification unit 2100 classifies themessage as requiring signature verification against communicationfilter/proxy A 703. When the analyzer unit 2800 receives the message, itverifies that the signature is authentic. If the signature is verified,the original message is extracted from the signed message andtransferred to the relevant message transmission unit in the messagehandler 1801 which delivers the message to the logic 900 of B.

In some embodiments, if the signature verification has failed, theanalyzer unit 2800 will ignore (discard) the message and no furtheraction will be taken on the message. In some embodiments, the result ofthe signature verification will be logged.

There can be many implementations of adding and verifying a signatureand they are all encompassed by the present invention. One such examplecan be: calculating a hash value on the content of the message data, andthen encrypting the result using a shared key between the parties. Thesignature is done by adding the encrypted result to the message, and theverification is done by doing that process and comparing the result tothe embedded sent signature. If both results are equal—the message'ssignature is valid.

In some embodiments, one or more communication filter/proxy securitysystems 703 of the invention can be implemented outside the vehiclecomputerized system 101.

In some embodiments, for efficiency considerations, the signatureaddition and/or verification does not need to occur with all messages,but only with messages that were classified as such by theclassification unit.

The classification unit 2100 takes into consideration the formatrequirements of each message, including maximum allowed length, so thatwhen adding a signature the message is still valid and can betransmitted and read properly. The system should be consistent with theprotocol even when modifying messages. That means that not all messageswill be signed for example if the signature will make the message sizeexceed the protocol's limit.

If, for example, ECUs A and B 75 exchange messages of different typesand size, even if only one type of messages malfunctions, the entiresystem may malfunction, a situation that must be avoided. Accordingly,the classification unit 2100 is configured so that signed messages meetall the format requirements of regular (unsigned) messages, and thus canbe transmitted and read correctly.

1. A method for use with a vehicle bus that consists of, employs, uses, is based on, or is compatible with, a Controller Area Network (CAN) that carries messages that are associated with a timing information, each of the messages comprises a respective header, a respective source identification, a respective destination identification, and a respective content, the method comprising: storing, in a non-volatile memory in a device a timing rule that includes one or more timing values; transmitting messages to, and for receiving messages from, a communication bus via a first physical port by a first transceiver in the device; transmitting CAN messages to, and receiving CAN messages from, the vehicle bus via a second physical port by a second transceiver in the device; executing, by a processor in the device, a software for controlling the first and second transceivers; receiving, from the communication bus via the first physical port by the first transceiver in the device, a first message; comparing, by the processor, a timing information of the first message with the one or more timing values; passing, blocking, or changing and then sending, the first message to the vehicle bus via the second physical port by the second transceiver in the device, in response to the comparing of the first message; receiving, from the vehicle bus via the second physical port by the second transceiver in the device, a second message; comparing, by the processor, a timing information of the second message with the one or more timing values; and passing, blocking, or changing and then sending, the second message to the communication bus via the first physical port by the first transceiver in the device, in response to the comparing of the second message.
 2. The method according to claim 1, wherein device comprises a single package that houses the processor, the memory, the first and second ports, and the first and second transceivers.
 3. The method according to claim 2, wherein the device is part of, or comprises, an Electronic Control Unit (ECU).
 4. The method according to claim 1, further comprising receiving, by the device, the timing rule.
 5. The method according to claim 4, wherein the receiving of the timing rule comprises receiving from the first port or from the second port.
 6. The method according to claim 4, wherein the receiving of the timing rule comprises receiving of the timing rule from a data unit via a third physical port by a third transceiver in the device.
 7. The method according to claim 1, wherein the storing comprises storing multiple timing rules, and wherein the comparing of the first or second message comprises comparing to the multiple timing rules.
 8. The method according to claim 1, wherein the processor is a hardware-based processor.
 9. The method according to claim 1, wherein the first or second message includes a respective value, wherein the timing rule comprises one or more values, and wherein the comparing of the first or second message comprises comparing to the one or more values.
 10. The method according to claim 1, wherein the timing rule corresponds to the message header, the message content, the message length, the identification (ID) of a message, the message destination, or any combination thereof.
 11. The method according to claim 1, wherein the comparing of the first or second message comprises comparing a value in the identification (ID) field of the respective message.
 12. The method according to claim 1, further comprising adapting between a messages rate on the vehicle bus and a messages rate on the communication bus by a buffer coupled between the first and second transceivers in the device.
 13. The method according to claim 1, further comprising limiting a rate of transmitting messages to the first or second port.
 14. The method according to claim 13, wherein the limiting comprises limiting a rate of transmitting messages to the vehicle bus via the second physical port.
 15. The method according to claim 14, wherein the limiting comprises adapting between the message incoming rate from the first port and the message outgoing rate to the communication bus via the second physical port using a buffer in coupled between the first and second transceivers.
 16. The method according to claim 1, further comprising sending a message to the first or second port only a pre-determined time interval after a previous message was transmitted thereto.
 17. The method according to claim 16, further comprising sending a message to the vehicle bus via the second physical port only a pre-determined time interval after a previous message was transmitted thereto.
 18. The method according to claim 1, wherein the non-volatile memory is Flash-based.
 19. The method according to claim 1, wherein the communication bus comprises a serial data bus, wherein the first physical port is a serial physical port connection, and wherein the first transceiver is a serial data transceiver for communication over the serial data bus.
 20. The method according to claim 19, wherein the serial data transceiver comprises a Universal Asynchronous Receiver Transmitter (UART).
 21. The method according to claim 19, wherein the serial data bus is based on, or uses, RS-232.
 22. The method according to claim 1, further comprising encrypting a part of, or whole of, the content of part of, or all of, the messages that are transmitted to the first or second ports.
 23. The method according to claim 1, further comprising temporarily storing messages received from the first port using a buffer coupled to the first transceiver.
 24. The method according to claim 1, further comprising temporarily storing messages received from the second port using a buffer coupled to the second transceiver.
 25. The method according to claim 1, further comprising temporarily storing messages to be transmitted via the first port using a buffer coupled to the first transceiver.
 26. The method according to claim 1, further comprising temporarily storing messages to be transmitted via the second port using a buffer coupled to the second transceiver.
 27. The method according to claim 1, wherein the first transceiver comprises a physical layer driver adapted to transmit or receive messages respectively to or from the first port.
 28. The method according to claim 1, wherein the second transceiver comprises a physical layer driver adapted to transmit or receive messages respectively to or from the vehicle bus.
 29. The method according to claim 1, further comprising storing at least part of the messages received from the communication bus via the first port or from the vehicle bus via the second port.
 30. The method according to claim 1, further comprising filtering messages between the first and second ports using a filter coupled between the first and second transceivers.
 31. The method according to claim 30, wherein the filter is part of, or comprises, the software, the processor, or any combination thereof.
 32. A method for use with a vehicle bus that consists of, employs, uses, is based on, or is compatible with, a Controller Area Network (CAN) that carries messages that are associated with a timing information, each of the messages comprises a respective header, a respective source identification, a respective destination identification, and a respective content, the method comprising: storing, in a non-volatile memory in a device first and second timing rules, each including one or more timing values; transmitting messages to, and for receiving messages from, a communication bus via a first physical port by a first transceiver in the device; transmitting CAN messages to, and receiving CAN messages from, the vehicle bus via a second physical port by a second transceiver in the device; controlling, by a hardware logic in the device, the first and second transceivers; receiving, from the communication bus via the first physical port by the first transceiver in the device, a first message; comparing, by the hardware logic, a timing information of the first message with the one or more timing values of the first timing rule; passing, blocking, or changing and then sending, the first message to the vehicle bus via the second physical port by the second transceiver in the device, in response to the comparing of the first message; receiving, from the vehicle bus via the second physical port by the second transceiver in the device, a second message; comparing, by the hardware logic, a timing information of the second message with the one or more timing values of the second timing rule; and passing, blocking, or changing and then sending, the second message to the communication bus via the first physical port by the first transceiver in the device, in response to the comparing of the second message.
 33. The method according to claim 32, wherein device comprises a single package that houses the hardware logic, the memory, the first and second ports, and the first and second transceivers.
 34. The method according to claim 33, wherein the device is part of, or comprises, an Electronic Control Unit (ECU).
 35. The method according to claim 32, further comprising receiving, by the device, the first and second timing rules.
 36. The method according to claim 35, wherein the receiving of the timing rules comprises receiving from the first port or from the second port, or wherein the receiving of the timing rules comprises receiving of the timing rules from a data unit via a third physical port by a third transceiver in the device.
 37. The method according to claim 32, wherein the first or second message includes a respective value, wherein the timing rule comprises one or more values, and wherein the comparing of the first or second message comprises comparing to the one or more values.
 38. The method according to claim 32, wherein the timing rule corresponds to the message header, the message content, the message length, the identification (ID) of a message, the message destination, or any combination thereof.
 39. The method according to claim 32, wherein the comparing of the first or second message comprises comparing a value in the identification (ID) field of the respective message.
 40. The method according to claim 32, further comprising adapting between a messages rate on the vehicle bus and a messages rate on the communication bus by a buffer coupled between the first and second transceivers in the device, or wherein the method further comprising limiting a rate of transmitting messages to the first or second port.
 41. The method according to claim 40, wherein the limiting comprises limiting a rate of transmitting messages to the vehicle bus via the second physical port, or wherein the limiting comprises adapting between the message incoming rate from the first port and the message outgoing rate to the communication bus via the second physical port using a buffer in coupled between the first and second transceivers.
 42. The method according to claim 32, further comprising sending a message to the first or second port only a pre-determined time interval after a previous message was transmitted thereto.
 43. The method according to claim 42, further comprising sending a message to the vehicle bus via the second physical port only a pre-determined time interval after a previous message was transmitted thereto.
 44. The method according to claim 32, wherein the communication bus comprises a serial data bus, wherein the first physical port is a serial physical port connection, and wherein the first transceiver is a serial data transceiver for communication over the serial data bus.
 45. The method according to claim 44, wherein the serial data transceiver comprises a Universal Asynchronous Receiver Transmitter (UART), or wherein the serial data bus is based on, or uses, RS-232.
 46. The method according to claim 32, further comprising encrypting a part of, or whole of, the content of part of, or all of, the messages that are transmitted to the first or second ports.
 47. The method according to claim 32, further comprising temporarily storing messages received from the first port using a buffer coupled to the first transceiver, or wherein the method further comprising temporarily storing messages received from the second port using a buffer coupled to the second transceiver.
 48. The method according to claim 32, further comprising temporarily storing messages to be transmitted via the first port using a buffer coupled to the first transceiver, wherein the method further comprising temporarily storing messages to be transmitted via the second port using a buffer coupled to the second transceiver, wherein the first transceiver comprises a physical layer driver adapted to transmit or receive messages respectively to or from the first port, or wherein the second transceiver comprises a physical layer driver adapted to transmit or receive messages respectively to or from the vehicle bus.
 49. The method according to claim 32, further comprising storing at least part of the messages received from the communication bus via the first port or from the vehicle bus via the second port.
 50. The method according to claim 32, further comprising filtering messages between the first and second ports using a filter coupled between the first and second transceivers, and wherein the filter is part of, or comprises, the hardware logic. 